CISCO IPS 4255

r.barba · ‎06-11-2009

Hi Friend

I have a Cisco IPS 4255, and I put all the upgrades that Cisco recomend. So, I put the ARES signature with TCP RESET like the action, but the ARES is working without the problem, and I need to stop these traffic. How can I stop the ARES P2P traffic.

I will wait your answer.

Regards

Rafael Barba

rhermes · ‎06-12-2009

Is your sensor in-line or sniffing in promiscious mode? If it is in-line then you can drop the packets instead of sending a TCP Reset. If your sesor is promiscious, then you need a method of transmitting those resets back into the traffic stream.

r.barba · ‎06-12-2009

Hi friend thank you for your answer, my sensor is in-line mode, and I have configured the signture with both actions.

TCP reset and deny inline packet???, Should I change the action to other???, please tell me wich one???

Regards

Rafael Barba

rhermes · ‎06-12-2009

If your sensor is physically in-line then you only need to drop. Are your ARES signatures firing?

Check your alert log with "show event alert past 01:00" to see the past 1 hour of signature alerts.

r.barba · ‎06-12-2009

Hi friend.

Thank you for your answer, You know that the ARES signatures is not firing, I don not why??? I am sending 2 pictures ipslog1.jpg (is my signatures configuration), ipslog2.jpg (is the action configuration), What must I do in order to fix this issue.

Regards

Rafael Barba

r.barba · ‎06-24-2009

Hi friend.

Do you have any answer, about hi can I block the ARES with the IPS 4255??, I sent you my signature configuration, but I did not receive nothing. Could you help me??

Regards

Rafael Barba

michael.d.brown · ‎06-30-2009

check to see if your ARES is triggering that IPS signature.